Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Clientless SSL VPN Products Open Web Browser Security Hole

US-CERT has issued a warning about impacting dozens of clientless SSL VPN products it says can be exploited to break Web browser security.
The issue is not a bug per se, but actually a security hole opened by the way the products operate. Web browsers enforce same origin policy to prevent

US-CERT has issued a warning about impacting dozens of clientless SSL VPN products it says can be exploited to break Web browser security.

The issue is not a bug per se, but actually a security hole opened by the way the products operate. Web browsers enforce same origin policy to prevent active content from one site from accessing or modifying data on another. According to the US-CERT advisory, because many clientless SSL VPN products retrieve content from different sites and then present it as coming from the SSL VPN, the products effectively circumvent same origin restrictions.

"By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN," the advisory states. "This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker may be able to capture keystrokes while a user is interacting with a web page."

Since all content runs at the privilege level of the Web VPN domain, things such as Internet Explorer security zones and NoScript for Firefox that provide domain-based content restrictions can be bypassed. The situation impacts a number of vendors, from Cisco to McAfee to Check Point Software Technologies.

Though there is no solution to the problem, US-CERT recommends administrators take the following actions: limit URL rewriting to trusted domains, limit VPN server network connectivity and disable URL hiding features.